diff --git a/barbican/common/policies/orders.py b/barbican/common/policies/orders.py index e034e0b9b..f0580f00a 100644 --- a/barbican/common/policies/orders.py +++ b/barbican/common/policies/orders.py @@ -12,12 +12,13 @@ from oslo_policy import policy +_MEMBER = "role:member" rules = [ policy.DocumentedRuleDefault( name='orders:get', - check_str='rule:all_but_audit', - scope_types=[], + check_str=f'rule:all_but_audit or {_MEMBER}', + scope_types=['project'], description='Gets list of all orders associated with a project.', operations=[ { @@ -28,8 +29,8 @@ ), policy.DocumentedRuleDefault( name='orders:post', - check_str='rule:admin_or_creator', - scope_types=[], + check_str=f'rule:admin_or_creator or {_MEMBER}', + scope_types=['project'], description='Creates an order.', operations=[ { @@ -40,8 +41,8 @@ ), policy.DocumentedRuleDefault( name='orders:put', - check_str='rule:admin_or_creator', - scope_types=[], + check_str=f'rule:admin_or_creator or {_MEMBER}', + scope_types=['project'], description='Unsupported method for the orders API.', operations=[ { @@ -52,8 +53,8 @@ ), policy.DocumentedRuleDefault( name='order:get', - check_str='rule:all_users', - scope_types=[], + check_str=f'rule:all_users or {_MEMBER}', + scope_types=['project'], description='Retrieves an orders metadata.', operations=[ { @@ -64,8 +65,8 @@ ), policy.DocumentedRuleDefault( name='order:delete', - check_str='rule:admin', - scope_types=[], + check_str=f'rule:admin or {_MEMBER}', + scope_types=['project'], description='Deletes an order.', operations=[ { diff --git a/releasenotes/notes/secure-rbac-order-policy-2068c64cb6830c6c.yaml b/releasenotes/notes/secure-rbac-order-policy-2068c64cb6830c6c.yaml new file mode 100644 index 000000000..0f23bc9e4 --- /dev/null +++ b/releasenotes/notes/secure-rbac-order-policy-2068c64cb6830c6c.yaml @@ -0,0 +1,15 @@ +--- +features: + - | + Implement secure-rbac for orders resource. +security: + - | + The current policy allows all users except those with the audit role to + list orders or retrieve an orders metadata. The new desired policy will + restrict this to members. For backwards compatibility, the old policies + remain in effect, but they are deprecated and will be removed in future, + leaving the more restrictive new policy. + - | + The new secure-rbac policy allows for secret deletion by members. This is + a change from the previous policy that only allowed deletion by the + project admin.